[tor-commits] [tor-browser/tor-browser-60.0.1esr-8.0-1] Bug 1463509 - SOCKS support for Alternative Services r=valentin
gk at torproject.org
gk at torproject.org
Thu Jun 14 05:50:20 UTC 2018
commit 8a68f975ee5faa39efa26a79062476ab50dd18ab
Author: Patrick McManus <mcmanus at ducksong.com>
Date: Tue May 22 13:50:56 2018 -0400
Bug 1463509 - SOCKS support for Alternative Services r=valentin
MozReview-Commit-ID: 1oXnQuzOqsC
--HG--
extra : rebase_source : 84bfaec48c5fc216da6586e7f06f118292d3fb17
---
netwerk/base/nsSocketTransport2.cpp | 32 +++++++++++++++++++++--------
netwerk/protocol/http/AlternateServices.cpp | 8 +++++++-
netwerk/protocol/http/AlternateServices.h | 4 ++++
netwerk/protocol/http/nsHttpChannel.cpp | 5 ++---
4 files changed, 37 insertions(+), 12 deletions(-)
diff --git a/netwerk/base/nsSocketTransport2.cpp b/netwerk/base/nsSocketTransport2.cpp
index df01e62f55d3..aa9232f4698c 100644
--- a/netwerk/base/nsSocketTransport2.cpp
+++ b/netwerk/base/nsSocketTransport2.cpp
@@ -1170,7 +1170,7 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, bool &proxyTransparent, bool &us
uint32_t controlFlags = 0;
uint32_t i;
- for (i=0; i<mTypeCount; ++i) {
+ for (i = 0; i < mTypeCount; ++i) {
nsCOMPtr<nsISocketProvider> provider;
SOCKET_LOG((" pushing io layer [%u:%s]\n", i, mTypes[i]));
@@ -1199,12 +1199,30 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, bool &proxyTransparent, bool &us
// if this is the first type, we'll want the
// service to allocate a new socket
+ // Most layers _ESPECIALLY_ PSM want the origin name here as they
+ // will use it for secure checks, etc.. and any connection management
+ // differences between the origin name and the routed name can be
+ // taken care of via DNS. However, SOCKS is a special case as there is
+ // no DNS. in the case of SOCKS and PSM the PSM is a separate layer
+ // and receives the origin name.
+ const char *socketProviderHost = host;
+ int32_t socketProviderPort = port;
+ if (mProxyTransparentResolvesHost &&
+ (!strcmp(mTypes[0], "socks") || !strcmp(mTypes[0], "socks4"))) {
+ SOCKET_LOG(("SOCKS %d Host/Route override: %s:%d -> %s:%d\n",
+ mHttpsProxy,
+ socketProviderHost, socketProviderPort,
+ mHost.get(), mPort));
+ socketProviderHost = mHost.get();
+ socketProviderPort = mPort;
+ }
+
// when https proxying we want to just connect to the proxy as if
// it were the end host (i.e. expect the proxy's cert)
rv = provider->NewSocket(mNetAddr.raw.family,
- mHttpsProxy ? mProxyHost.get() : host,
- mHttpsProxy ? mProxyPort : port,
+ mHttpsProxy ? mProxyHost.get() : socketProviderHost,
+ mHttpsProxy ? mProxyPort : socketProviderPort,
proxyInfo, mOriginAttributes,
controlFlags, mTlsFlags, &fd,
getter_AddRefs(secinfo));
@@ -1213,8 +1231,7 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, bool &proxyTransparent, bool &us
NS_NOTREACHED("NewSocket succeeded but failed to create a PRFileDesc");
rv = NS_ERROR_UNEXPECTED;
}
- }
- else {
+ } else {
// the socket has already been allocated,
// so we just want the service to add itself
// to the stack (such as pushing an io layer)
@@ -1245,9 +1262,8 @@ nsSocketTransport::BuildSocket(PRFileDesc *&fd, bool &proxyTransparent, bool &us
secCtrl->SetNotificationCallbacks(callbacks);
// remember if socket type is SSL so we can ProxyStartSSL if need be.
usingSSL = isSSL;
- }
- else if ((strcmp(mTypes[i], "socks") == 0) ||
- (strcmp(mTypes[i], "socks4") == 0)) {
+ } else if ((strcmp(mTypes[i], "socks") == 0) ||
+ (strcmp(mTypes[i], "socks4") == 0)) {
// since socks is transparent, any layers above
// it do not have to worry about proxy stuff
proxyInfo = nullptr;
diff --git a/netwerk/protocol/http/AlternateServices.cpp b/netwerk/protocol/http/AlternateServices.cpp
index 2ce3d333d60d..f4cfa800715b 100644
--- a/netwerk/protocol/http/AlternateServices.cpp
+++ b/netwerk/protocol/http/AlternateServices.cpp
@@ -46,6 +46,12 @@ SchemeIsHTTPS(const nsACString &originScheme, bool &outIsHTTPS)
return NS_OK;
}
+bool
+AltSvcMapping::AcceptableProxy(nsProxyInfo *proxyInfo)
+{
+ return !proxyInfo || proxyInfo->IsDirect() || proxyInfo->IsSOCKS();
+}
+
void
AltSvcMapping::ProcessHeader(const nsCString &buf, const nsCString &originScheme,
const nsCString &originHost, int32_t originPort,
@@ -59,7 +65,7 @@ AltSvcMapping::ProcessHeader(const nsCString &buf, const nsCString &originScheme
return;
}
- if (proxyInfo && !proxyInfo->IsDirect()) {
+ if (!AcceptableProxy(proxyInfo)) {
LOG(("AltSvcMapping::ProcessHeader ignoring due to proxy\n"));
return;
}
diff --git a/netwerk/protocol/http/AlternateServices.h b/netwerk/protocol/http/AlternateServices.h
index 051f010801b4..688586ba5b89 100644
--- a/netwerk/protocol/http/AlternateServices.h
+++ b/netwerk/protocol/http/AlternateServices.h
@@ -66,6 +66,10 @@ public:
nsIInterfaceRequestor *callbacks, nsProxyInfo *proxyInfo,
uint32_t caps, const OriginAttributes &originAttributes);
+ // AcceptableProxy() decides whether a particular proxy configuration (pi) is suitable
+ // for use with Alt-Svc. No proxy (including a null pi) is suitable.
+ static bool AcceptableProxy(nsProxyInfo *pi);
+
const nsCString &AlternateHost() const { return mAlternateHost; }
const nsCString &OriginHost() const { return mOriginHost; }
uint32_t OriginPort() const { return mOriginPort; }
diff --git a/netwerk/protocol/http/nsHttpChannel.cpp b/netwerk/protocol/http/nsHttpChannel.cpp
index 28ff7709863e..35b4b4dfeb1e 100644
--- a/netwerk/protocol/http/nsHttpChannel.cpp
+++ b/netwerk/protocol/http/nsHttpChannel.cpp
@@ -6163,9 +6163,8 @@ nsHttpChannel::BeginConnect()
RefPtr<AltSvcMapping> mapping;
if (!mConnectionInfo && mAllowAltSvc && // per channel
!(mLoadFlags & LOAD_FRESH_CONNECTION) &&
- (scheme.EqualsLiteral("http") ||
- scheme.EqualsLiteral("https")) &&
- (!proxyInfo || proxyInfo->IsDirect()) &&
+ AltSvcMapping::AcceptableProxy(proxyInfo) &&
+ (scheme.EqualsLiteral("http") || scheme.EqualsLiteral("https")) &&
(mapping = gHttpHandler->GetAltServiceMapping(scheme,
host, port,
mPrivateBrowsing,
More information about the tor-commits
mailing list